Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Request Smuggling Vulnerability Found

Posted by CowboyNeal on from the web-jacking dept.

An anonymous reader writes "Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."

9 of 168 comments (clear)

  1. HTTP request smuggling by hostyle · · Score: 5, Funny

    Damn pirates! They're everywhere.

    --
    Caesar si viveret, ad remum dareris.
  2. Re:Only Apache 2.0.x, not 1.3.x by werewolf1031 · · Score: 3, Funny

    Aaaand, I'm assuming by that the potential for a surfer to inadvertantly pick up a highjacker while browsing your site causes you to lose sleep? Wow. Take some Nytol or something, dude. It's Not That Friggin Important!

  3. Bug was found by hobotron · · Score: 5, Funny


    by noticing the apache servers were being forced further and further west

    --
    There is truth in humor.
  4. Re:.. so this is an apache vulnerability now. by Anonymous Coward · · Score: 1, Funny

    Sure, this effects Apache.

    So now it's a feature and not a bug? :)

  5. Re:.. so this is an apache vulnerability now. by Frankie70 · · Score: 2, Funny


    And editors... do your job, otherwise you'll soon be replaced by monkeys trained to click the 'Accept Article' button all day.

    I thought that replacement has already happened quite sometime back.

  6. Re:Damn, now I have to wait for longhorn. by toddbu · · Score: 4, Funny

    There's a well known thought experiment called Schrodinger's Server. You put a Windows Server in a box along with a test tube full of poison capped by a single atom. You then seal the box. According to the Windows Heisenberg Uncertainty Server Principal, at any point in time the server in the box is simultaneously dead and dead.

    --
    If you don't want crime to pay, let the government run it.
  7. Re:Wait a sec.. by ion++ · · Score: 2, Funny
    The latest "bleeding-edge" version is often actually more stable. I think that the Debian folks may have an issue with this statement.
    Lets refrase it then.

    The latest stable version is often actually stale
  8. Re:Wait a sec.. by QuickFox · · Score: 2, Funny

    The latest stable version is often actually stale

    Henceforth we'll label them "sta(b)le".

    --
    Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
  9. Re:2.1.6 by The+name+is+Dave.+Ja · · Score: 2, Funny

    I'm holding out for teh 1.3.37 version.

    Lame apache tribute:
    http://www.adojji.org/adojji/